routeros2.9.14系统启动后运行的进程
look 是这样的。。回复 #1 想得太美 的帖子
是啊,不过只能玩一天时间!有时间大家能不能PJ一下这个版本,也许已经有人已经有了,但怕影响大,不放出来吧 发现它的加密和解密用以下函数:
0x4012ada0xdr_float
0x4012ade0xdr_double
0x4012ae80xdrmem_create
0x4012b150xdrrec_create
0x4012b600xdrrec_endofrecord
0x4012b7e0xdrrec_eof
0x4012b850xdrrec_skiprecord
0x4012ba40xdr_reference
0x4012bb60xdr_pointer
0x4012bbe0xdrstdio_create
0x4012be90getpublickey
0x4012bf60getsecretkey
0x4012c170xdr_sizeof
0x4012c230authdes_create
0x4012c690authdes_pk_create
0x4012c920xdr_authdes_cred
0x4012c9c0xdr_authdes_verf
0x4012cad0cbc_crypt
0x4012cb60ecb_crypt
0x4012d8a0des_setparity
0x4012d8e0key_gendes
0x4012ddd0key_get_conv
0x4012de30key_setnet
0x4012de90key_decryptsession_pk
0x4012df10key_encryptsession_pk
0x4012df90key_decryptsession
0x4012e000key_encryptsession
0x4012e070key_secretkey_is_set
0x4012e0f0key_setsecret
0x4012e190xdr_keystatus
0x4012e1c0xdr_keybuf
0x4012e200xdr_netnamestr
0x4012e240xdr_cryptkeyarg
0x4012e290xdr_cryptkeyarg2
0x4012e2f0xdr_cryptkeyres
0x4012e350xdr_unixcred
0x4012e3c0xdr_getcredres
0x4012e420xdr_key_netstarg
0x4012e480xdr_key_netstres
0x4012e4e0user2netname
0x4012e5f0host2netname
0x4012e740getnetname
0x4012e7a0netname2user
0x4012e870netname2host
反编译了其中的一个函数:key_get_conv
Dump of assembler code for function key_get_conv:
0x4012ddd0 : push %ebp
0x4012ddd1 : mov %esp,%ebp
0x4012ddd3 : push %ebx
0x4012ddd4 : sub $0xc,%esp
0x4012ddd7 : call 0x4012dddc
0x4012dddc : pop %ebx
0x4012dddd : add $0x34218,%ebx
0x4012dde3 : mov 0x8(%ebp),%ecx
0x4012dde6 : lea 0xfffffff0(%ebp),%eax
0x4012dde9 : mov 0xffffff74(%ebx),%edx
0x4012ddef : push %eax
0x4012ddf0 : mov 0xffffff34(%ebx),%eax
0x4012ddf6 : push %eax
0x4012ddf7 : mov $0xa,%eax
0x4012ddfc : call 0x4012dc10
0x4012de01 : test %eax,%eax
0x4012de03 : jne 0x4012de0f
0x4012de05 : mov $0xffffffff,%eax
0x4012de0a : mov 0xfffffffc(%ebp),%ebx
0x4012de0d : leave
0x4012de0e : ret
0x4012de0f : mov 0xfffffff0(%ebp),%ecx
0x4012de12 : test %ecx,%ecx
0x4012de14 : jne 0x4012de05
0x4012de16 : mov 0xfffffff4(%ebp),%edx
0x4012de19 : mov 0xfffffff8(%ebp),%ecx
0x4012de1c : mov 0xc(%ebp),%eax
0x4012de1f : mov %edx,(%eax)
0x4012de21 : mov %ecx,0x4(%eax)
0x4012de24 : xor %eax,%eax
0x4012de26 : mov 0xfffffffc(%ebp),%ebx
0x4012de29 : leave
0x4012de2a : ret
0x4012de2b : nop
0x4012de2c : lea 0x0(%esi),%esi
有对它感兴趣的,可以联系我,共同探讨下.呵呵 :P 我发现ros29的加密和28有很大的不同.它好象是用进程通信的办法.加密和解密本身没有包含在单个程序中.所以想要暴破单个程序是不可能的. 想了一点儿办法,安装一个shell上去,下面是dmesg 的信息:
Linux version 2.4.31 (build@builder) (gcc version 2.95.4 20011002 (Debian prerelease)) #2 Thu Feb 23 17:25:23 EET 2006
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 0000000003ef0000 (usable)
BIOS-e820: 0000000003ef0000 - 0000000003eff000 (ACPI data)
BIOS-e820: 0000000003eff000 - 0000000003f00000 (ACPI NVS)
BIOS-e820: 0000000003f00000 - 0000000004000000 (usable)
BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)
64MB LOWMEM available.
On node 0 totalpages: 16384
zone(0): 4096 pages.
zone(1): 12288 pages.
zone(2): 0 pages.
Kernel command line: ro root=100
Initializing CPU#0
Detected 1901.270 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 3801.08 BogoMIPS
Memory: 62864k/65536k available (973k kernel code, 2220k reserved, 257k data, 68k init, 0k highmem)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
CPU: CLK_CTL MSR was 0. Reprogramming to 20000000
CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line)
CPU: L2 Cache: 256K (64 bytes/line)
CPU: After generic, caps: 0383fbff c1c3fbff 00000000 00000000
CPU: Common caps: 0383fbff c1c3fbff 00000000 00000000
CPU: AMD Athlon(tm) XP 2200+ stepping 01
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
PCI: PCI BIOS revision 2.10 entry at 0xfd9a0, last bus=1
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: Probing PCI hardware (bus 00)
PCI: Using IRQ router PIIX/ICH at 00:07.0
PCI: Cannot allocate resource region 4 of device 00:07.1
Limiting direct PCI/PCI transfers.
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Journalled Block Device driver loaded
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
Real Time Clock Driver v1.10f
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: VMware Virtual IDE Hard Drive, ATA DISK drive
hdb: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: attached ide-disk driver.
hda: 209715 sectors (107 MB) w/32KiB Cache, CHS=832/4/63
Partition check:
hda: hda1
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
Linux IP multicast router 0.06 plus PIM-SM
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 3k freed
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 68k freed
hda2: bad access: block=2, count=2
end_request: I/O error, dev 03:02 (hda), sector 2
EXT3-fs: unable to read superblock
hda2: bad access: block=2, count=2
end_request: I/O error, dev 03:02 (hda), sector 2
EXT2-fs: unable to read superblock
kjournald starting.Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,1), internal journal
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
panicSaver: starting...
panicSaver: start at sector 0x0000c763
panicSaver: will write 2 sectors
panicSaver: started
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP MPPE compression module registered
Generic GRE driver
GRE: registered protocol 0xb88
l2tp_init
IPv4 over IPv4 tunneling driver
Registering EoGRE
GRE: registered protocol 0x64
NET4: Ethernet Bridge 008 for NET4.0
Bridge firewalling registered
PCQ: registered per-connection queue
AGR: registered qdisc
pcnet32.c:v1.30h 06.24.2004 tsbogend@alpha.franken.de
PCI: Found IRQ 11 for device 00:11.0
pcnet32: PCnet/PCI II 79C970A at 0x1080, 00 0c 29 cc da 21 assigned IRQ 11.
eth0: registered as PCnet/PCI II 79C970A
PCI: Found IRQ 10 for device 00:12.0
pcnet32: PCnet/PCI II 79C970A at 0x1400, 00 0c 29 cc da 2b assigned IRQ 10.
eth1: registered as PCnet/PCI II 79C970A
pcnet32: 2 cards_found.
imq driver loaded.
RATE: registered
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
isdnphone: driver initialized, time = 850
ISDN subsystem Rev: 1.1.4.1/1.1.4.1/1.1.4.1/1.1.4.1/1.1.4.1/1.1.4.1 loaded
scx200_wdt: NatSemi SCx200 Watchdog Driver
Software Watchdog Timer: 0.05, timer margin: 60 sec
isapnp: Scanning for PnP cards...
isapnp: No Plug & Play device found
Linux Kernel Card Services 3.1.22
options:
Intel ISA PCIC probe: not found.
ds: no socket drivers loaded!
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-uhci.c: $Revision: 1.275 $ time 17:23:12 Feb 23 2006
usb-uhci.c: High bandwidth mode enabled
usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
lcd module loaded
ip_conntrack version 2.1 (27648 buckets, 110592 max) - 336 bytes per conntrack
i2c-core.o: i2c core module version 2.7.0 (20021208)
Netfilter messages via NETLINK v0.12.
i2c-nscacb.o version 1.3.1
ctnetlink v0.12: registering with nfnetlink.
nfnetlink_subsys_register: registering subsystem ID 1
i2c-proc.o version 2.7.0 (20021208)
lm87.o version 2.7.0 (20021208)
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
ipt_random match loaded
netfilter PSD loaded - (c) astaro AG
eth0: devid 1
eth1: devid 2 强顶 hao de 看不懂 。。。
回复 #10 lzbnet 的帖子
偶也看不懂! 顶上来..
页:
[1]